Muddy Water is a group that targets government organizations and telecommunications providers which are mostly located in the Middle East. This threat surfaced in late 2017. The analysis of the infection vector and the first phase of infection was largely documented in late 2017 and early 2018. On May 29, Kapersky Lab published the analysis of the tasks performed after the infection by the malicious program.

FIGURE 1 – Locations of targets – Kapersky Lab

As a reminder, the initial vector of the infection is a macro written in VBA contained in a Microsoft Word document, in 97-2003 format, distributed by e-mail. The document is normally password-protected to bypass static analysis engines. The emblem of a Middle Eastern country is displayed when the Word document is opened in order to encourage the victim to turn on macros.

When the VBA “dropper” is executed, it downloads several files that contain the second part of the infection. Two variants have been identified, which seek to run a Powershell script. This script contains mechanisms for camouflaging, anti-debugging, contacting a command-and-control server, and sending information about the infected machine to select the victim based on its geolocation and the entity to which it belongs. Additionally, this script supports several commands usable by the CnC server which are meant to take screenshots, run Powershell scripts by various means, download files to the CnC server, restart the machine, and destroy hard drives.

FIGURE 2 – Turkish Ministry of the Interior – Kapersky Lab

The second part of the analysis conducted by Kapersky Lab reveals that a wide range of tools is deployed on the targeted machines. The purpose of these tools is to finalize the victims’ infection and exfiltrate data. The analysis shows that these tools are primarily written in scripting languages like Python, C#, VBA, and Powershell. Additionally, Muddy Water compiles its tools written in scripting languages like Python or Powershell with Py2exe and PS2EXE to become more portable. The analysis shows that these tools come from custom developments, as well as public developments.

Here is the list of tools identified by Kapersky Lab:

  • Nihay (C#): Downloads and executes Powershell “oneliners”.
  • LisfonService (C#): Remote access tools that allow basic information to be retrieved about the infect machine and run the Powershell code.
  • client.py (Python): A python executable compiled with Pyinstaller that enables the recovery of basic information about the infected machine and the execution of commands implemented in VBS and run via cscript.exe. It also can install a keylogger, steal logins in Chrome, kill the task manager, and display alert messages
  • client-win.py (python): A python executable compiled with Pyinstaller that uses the Paramiko library that enables the creation of SSH connections to the CnC.
  • rc.py/rc.exe (python): A python executable compiled with Pyinstaller and compressed with UPX. This remote access tool can collect login details from Chrome, IE, Mozilla, Opera, and Outlook, and run system commands.
  • Lazagne (python): This public tool is used to extract login details and histories from web browsers and Outlook.
  • Muddy (python): This Lazagne-based tool is used to extract login details from web browsers and e-mail clients like Chrome, IE, Mozilla, Opera, Coccoc, and Outlook.
  • Slaver.py (python): This tool enables the creation of TCP connections to the CnC.
  • Cr.exe (python): Compiled python script based on CrackMapExec used to collect login details and carry out lateral movements.
  • Mmap.py (python): Script based on CrackMapExec used to carry out lateral movements.
  • Second-stage script (Powershell): This tool downloads and runs other Powershell scripts and implements a remote access tool that provides multiple features (encryption, encoding, changing Windows settings).

Kapersky Lab’s analysis also shows that the malicious code used by the Muddy Water group is marked by several artifacts. These artifacts suggest that the designers may be Russin or Chinese in origin. No statements have been made about the actual origin of the Muddy Water group.

The Muddy Water analysis shows that malicious groups have been able to expand the range of compromising tools to include tools that employ technologies with a high degree of adaptability and customization, like Python and Powershell. Additionally, the widespread availability of tools in both of these languages allows for a very broad range of possibilities and faster implementation.